View Only
last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass OnGuard | MAC used for auth | Terminate/Bounce issue

This thread has been viewed 16 times
  • 1.  ClearPass OnGuard | MAC used for auth | Terminate/Bounce issue

    Posted Jun 19, 2024 12:22 PM

    Hello All, 

    I am currently working through a ClearPass LAB, and everything has gone smoothly until I try to integrate the OnGuard portion. I am running CPPM on CLABV. 

    My objective is to Authenticate utilizng EAP-TLS via Cisco Switch (this works wonderfully), grab a posture check, bounce/terminate the session, and utilize the posture status to drop the user into a specific VLAN. 

    Independently, these checks both work without issue. I am running the Agent-based unit. I see a good auth in the Tracker for the 802.1x and the WebAuth OnGuard comes shortly after. In my WebAuth enforcement, I have it set to enforce a bounce for anything posture-related. I have tried multiple methods to force any type of bounce but I can not see any attempt. I do have Wireshark in multiple spots, and I never see CPPM attempt to push that CoA. 

    Below is a summary of what I have configured

    802.1x Summary

    My Idea here and I could be wrong is if the device has a posture status the policy can take the correct action if it's unknown let it hang out and run the posture check

    the fail and pass profiles return a VLAN number         

    The WebAuth/Posture policy is configured as follows

    The Enforcement I  currently have in place is to terminate the session no matter what.  I have also tried to bounce, disable, and re-authenticate tied to specific posture values with no luck.

    I see that both services are hit and complete in the Tracker, but I do not get any action from the WebAuth

    I have realized that the Webauth uses a separate endpoint/MAC address that does not exist in the switch table. 

    I did change the global setting to utilize the username, but that, unfortunately, did not change the behavior.

    I am stuck here, and I can not seem to get it to operate as I intend. Am I missing something, or is my understanding completely off on how this is supposed to operate? 

    I can provide anything more that may help in diagnosing/resolving. Thanks in advance for any support! 

  • 2.  RE: ClearPass OnGuard | MAC used for auth | Terminate/Bounce issue

    Posted Jun 20, 2024 12:26 PM

    Have you verified that RADIUS CoA is working to the switch? You can test bouncing the clients session by using the "change status" button in the access tracker entry for the current session. If that doesn't work, then the cisco config would need some attention. Maybe the L4 port is wrong? You could also try using the agent bounce instead, which send the bounce to the OnGuard client itself instead of the switch. It will disable and enable the interface on the device.

    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
    If my post was useful accept solution and/or give kudos

  • 3.  RE: ClearPass OnGuard | MAC used for auth | Terminate/Bounce issue

    Posted Jun 20, 2024 06:31 PM


    I tested the change status and saw a successful re-auth and port-bounce this was also confirmed via Wireshark. 

    My new question goes back to the MAC address used, the OnGaurd is coming with a completely different MAC address while the dot1x uses the passthrough NIC I have assigned. 

    When I force a re-auth, the 1x MAC has never had any posture associated with it.

    .1x  Auth

    Webauth via OnGuard Agent 

    I can not attribute that MAC to anything on the machine unless the agent generates it. 

    So what I am stuck on is even if I trigger the auth, the passthrough NIC has never officially been postured, and no action can be taken on that value.